In communication systems, user related data can be stored at many different entities like a mobile phone, a server of a service provider, and a node of a mobile operator.
Examples for user related data are (i) personal information like a name, an identifier, or the date of birth of the user, (ii) financial information like a bank account number, credit card number, a credit history, or a bank account balance, (iii) preference information like a list of goods recently ordered or web sites recently visited, browser and mobile phone settings, and (iv) personal context information like location or availability information of the user.
User related data can be regarded as data that is related to an identity of a user in a communication system. In that sense, the concept of a user and user related data can be expanded to other entities having an identity in a communication system, e.g. a device having a device identity like a identification code and device related data stored somewhere. The device related data can be stored together with the identity of the device at an entity of a communication system, e.g. a secret access code being stored with an identification code.
For describing an entity having an identity in a communication system, the terminology principal is used. A principal is a set of one or more linked identities of an entity in a communication system. A principal can e.g. represent a person, sometimes also called user, or a device as explained before. A user can be represented by one or more principals and a principal can be shared by one or more users. Thus, data related to a principal or principal data can be regarded as information that is related to an identity of said principal. A principal identifier can indicate the identity of a principal at an entity.
Principal related data can be collected and processed by many data storages, which can be operated by different entities. Thus, principal related data can be distributed, i.e. spread, over many entities and access, exchange, and storage of principal data can occur without knowledge or control of the principal, which is a drawback from a data security point of view.
According to H. Zandbelt, B. Hulsebosch, H. Eertink, “IDsec: Virtual Identity on the Internet”, Internet Engineering Task Force, Internet Draft draft-zandbelt-idsec-01.txt, May 2002, a profile manager can be used to provide to a profile requester access to attributes of a profile, i.e. a data record that contains information about a certain profile owner, stored by the profile manager.
For providing access, the profile requester presents a session certificate provided by the profile owner together with a requester certificate owned by the profile requester to a profile retrieve service of the profile manager. The requester certificate indicates the requested attributes of the profile of the profile owner.
The session certificate is provided to the profile owner when logging with profile manager specific credentials into a session login service of the profile manager. The session certificate consists of a profile manager location, i.e. a reference to the profile retrieve service, a session identifier uniquely identifying the session where the profile owner is logged in, and a profile manager signature used for a verification of the integrity of the data in the session certificate by the profile manager when the session certificate is presented to by the profile requester for profile retrieval. Furthermore, the session certificate contains a public key generated by the profile owner for passing information from the profile requester to the profile owner in a secure manner and it contains an expiration date preventing the reuse of the certificate after the specified date.
When the profile manager receives the request from the profile requester, the profile retrieve service verifies the session certificate and uses the session identifier to find the profile owner associated with the session. Furthermore, the profile manager verifies, the profile requester certificate by means of trusted certificates stored by the profile owner.
The profile manager has stored an access control list for each attribute of the profile of the profile owner specifying which profile requesters have read-access per attribute. Based on the requester verification and the access control list, a requester specific profile is assembled by interpreting the access control list for each attribute of the requester certificate. In a response, the attributes of the requester specific profile encoded in XML format are sent to the requester.
The solution according to Zandbelt et al. requires a profile manager that is accessed in a session by both the profile owner and the requester for provision of the principal related data to the requester. However, the solution according to Zandbelt et al. does not consider the fact that principal data are already distributed over many entities which are typically not accessible by the principal. Therefore, a principal data containing entity being not accessible by the principal is thus excluded from the provision of principal data to a requester. Furthermore, the solution according to Zandbelt et al. is restricted to a session, i.e. out-of-session retrieval of attributes of the profile is not possible. In addition, as only one profile manager can be used per session, profile owner related data distributed over several profile managers cannot be provided to the requester in a session. However, storing of all principal data at a single entity is questionable from a security point of view. In addition, the storage of all or a major amount of principal data at a single entity increases the storage capacity needed for storing the principal data. Furthermore, many principal data like the location of a principal need to be updated. However, transferring of data that needs to be updated to a profile manager requires signaling and processing effort both at the entity carrying the profile manager and the entity where the updated data is generated. Furthermore, using an access control list stored at the profile manager can be inflexible and complex.